Re: Scanning. Is it dangerous?

[ryan () SECURITYFOCUS COM (Ryan Russell)]

On Sat, 29 Apr 2000, Sarunas Krivickas wrote:

> As I see, almost everyone there are worried about some kind of scanning for
> own subnets, ports, etc. Do you think it is real danger to you system? So if
> it is true, the scans as a dangerous actions has to be recognized in your
> risk management and IT security policy.

The few policies I've seen tend to cover actions under the control of the
company (i.e. employees.)  Those may very well include port scans
explicitly.  Policy & procedure may cover how to react to events from
external sources (when to call law enforcement, when to call ISP, when to
monitor, when to do nothing.)

> Does the simple scan of your system
> has the right place in your policy and also is the trigger to initiate
> actions and rise the alarm? Of course, we are able to recognize DoS or
> something like that, but almost all incidents there are talking about
> simple, usual and not dangerous actions. Yes, you have to think about this
> kind of actions (I do not call it as attack) if your system is totally
> unprotected.

Without getting into the honeypot issue, which played out here recently, I
believe most folks watch for port scans as an early-warning
mechanism.  That might be a reasonable flag to watch for activity from
that IP address manually, for example.  Other folks will just block all
traffic for a period of time from an address that scans.  You have to
watch out for DoS possibilities of course.

> Lets go to discuss a little bit about subject!
> My question is how the recognized simple scanning is described in your IT
> security policy and why scanning is so dangerous for you?

Most folks consider scanning a hostile activity, as there is typically no
legitimate reason for it.  Laws vary about scanning, from being explictly
legal to explictly illegal, with most places falling in-between.

In places where it is explictly illegal, watching for them is very
relevent.

                                        Ryan